Defense4All Overview

Defense4All is an SDN application for detecting and mitigating DDoS attacks. The figure below depicts the positioning of Defense4All in OpenDaylight environment.

 

Figure 6.1. Defense4All Overview

Defense4All Overview

The application communicates with OpenDaylight Controller through the ODC north-bound REST API.

Through the REST API Defense4All performs the following tasks:

  1. Monitoring behavior of protected traffic - the application sets flow entries in selected network locations to read traffic statistics for each of the PNs (aggregating statistics collected for a given PN from multiple locations).
  2. Diverting attacked traffic to selected AMSs – the application set flow entries in selected network locations to divert traffic to selected AMSs. When an attack is over the application removes these flow entries, thus returning to normal operation and traffic monitoring.

Defense4All can optionally communicate with the defined AMSs. For example: To dynamically configure them, monitor them or collect and act upon attack statistics from the AMSs. The API to AMS is not standardized, and in any case beyond the scope of the OpenDaylight work. Defense4All contains a reference implementation pluggable driver to communicate with Radware’s DefensePro AMS.

The application presents its north-bound REST and CLI APIs to allow its manager to:

Control and configure the application (runtime parameters, ODC connectivity, AMSs in domain, PNs, and so on.). Obtain reporting data – operational or security, current or historical, unified from Defense4All and other sources such as, ODC and AMSs). Defense4All provides unified management, reporting and monitoring.

Management - Important part of Defense4All operation is to allow users simple “one touch” and abstracted provisioning of security services, for both detection and mitigation operations. The user needs to only specify simple security attributes. Reporting and monitoring operations - Important part of security services is a combination of (near) real-time logs for monitoring as well as historical logs for reporting. Defense4All provides a unified interface for both purposes. The monitoring information is based on various events collected from Defense4All, AMSs and ODC, allowing rich and correlated view on events. Logged event records can be operational or security related. The former includes failures and errors and informational logs. The latter includes detections, attacks and attack mitigation lifecycles, traffic diversion information and periodic traffic averages. All logs are persistent (stable storage and replication).


loading table of contents...